Learning Attribute-Based and Relationship-Based Access Control Policies with Unknown Values

TL;DR

This paper introduces novel algorithms for mining Attribute-Based and Relationship-Based Access Control policies from legacy data, even when some entity attribute values are unknown, reducing migration costs.

Contribution

It presents the first algorithms capable of learning ABAC and ReBAC policies from incomplete access control data with unknown attribute values.

Findings

Algorithms effectively learn policies from incomplete data.

First known approach to handle unknown attribute values in policy mining.

Reduces costs of migrating to ABAC and ReBAC systems.

Abstract

Attribute-Based Access Control (ABAC) and Relationship-based access control (ReBAC) provide a high level of expressiveness and flexibility that promote security and information sharing, by allowing policies to be expressed in terms of attributes of and chains of relationships between entities. Algorithms for learning ABAC and ReBAC policies from legacy access control information have the potential to significantly reduce the cost of migration to ABAC or ReBAC. This paper presents the first algorithms for mining ABAC and ReBAC policies from access control lists (ACLs) and incomplete information about entities, where the values of some attributes of some entities are unknown. We show that the core of this problem can be viewed as learning a concise three-valued logic formula from a set of labeled feature vectors containing unknowns, and we give the first algorithm (to the best of our knowledge) for that problem.